DNS Security and Threat Mitigation: An Overview of Domain Name System Threats and Strategies for Securing a BIND Name Server
by
Jeff S. Drakeon
29/11/06

The Internet is a seemingly limitless source of information. It provides the power of collective knowledge and information to a vast array of users who access innumerable resources for countless reasons. These resources are typically accessed by using a human readable name designed to be easily remembered, thus increasing the usability of the resource. These human readable names, as the very term implies, are for the sake of the human users. Network devices, however, find each other by using a number, referred to as IP (Internet Protocol) addresses. The Domain Name System is the service that maps the human readable names to device specific IP addresses creating the user friendly nature of networked systems.

The Internet and millions of other networks are dependent upon the functionality of the Domain Name System. DNS is a complex, hierarchical system of distributed databases which are dependent upon each other to respond to queries by network users. The failure of this system at any level has crippling effects on network access. An infiltration of the DNS system can lead to disastrous consequences by directing unsuspecting users to network locations that are designed to steal their valuable information. Given the interconnected nature of economic, military and political communications, protecting this DNS structure from threats has taken on a new level of significance. BIND is the standard DNS server used on Linux and Unix systems. This document will first present an overview of the DNS architecture and name resolution process as well as describe common threats to DNS. Finally this document will outline some of the defensive configurations that can be implemented in BIND to help protect against some of these common threats.